I have a vue3 app that authenticates to a Laravel backend using Sanctum.
My auth workflow for the Sanctum backend looks like this:
Auth::login($user)
is called, creating the sessionI'm trying to add a Google sign-in via Socialite. The workflow as described in the Socialte docs is this:
public function redirect(): \Symfony\Component\HttpFoundation\RedirectResponse|\Illuminate\Http\RedirectResponse
{
return Socialite::driver('google')->redirect();
}
public function callback(Request $request): \Illuminate\Http\RedirectResponse|\Symfony\Component\HttpFoundation\RedirectResponse
{
session()->put('state', $request->input('state'));
$googleUser = Socialite::driver('google')->user();
// business-specific auth logic
Auth::login($user);
session()->regenerate();
// attempt to add cookie manually, does not work
$cookie = new Cookie(
session()->getName(),
session()->getId(),
config('session.lifetime'),
'/',
'.app.local',
false,
true,
false,
'lax'
);
return redirect('http://app.local/dashboard')->withCookie($cookie);
}
The problem is that this redirect doesn't include the Sanctum cookies. Google redirects to the API back-end, which then redirects back to the front-end. So when the front-end loads, the client does not have the cookies necessary for the ensuing protected back-end requests, and the front-end redirects back to the login screen.
I have tried many things to make this work, but I can't quite figure out a solution here. Creating the cookie manually doesn't seem to work; Chrome won't show the headers on the request. It instead says "Provisional headers are shown".
This issue is likely caused by having to use an ngrok URL as the redirect
value in the config file.
Google requires you to use a public URL, so I used an NGROK url as the callback URL. This seems to strip the request of the cookies needed to authenticate with Sanctum, stranding the request without a way to communicate the session ID to the back end.
Pushing to a public test environment fixes the issue.